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(54) Secure integrated chip with conductive shield 



(57) A chip includes a secure section 1 1 having a 
fuse element 56 and a fuse altering device 58. A prede- 
termined data pattern is formed by wiring and inverters 
62 connected between an erasable memory 52 and an 
AND gate 60. An enabling circuit 55 allows the predeter- 
mined data pattern to be written into the memory 52 
when an appropriate control signal is received at a ter- 
minal 63. The state of the fuse element 56 is then irre- 
versibly altered by the fuse altering device 58 so that the 



predetermined data pattern in the memory 52 cannot be 
changed. After final pressing and packaging, secure 
data may be stored in a secure memory M since the 
data pattern in the memory 52 is the same as that in the 
inverters 62. Once the secure data is stored, an erase 
signal is provided to terminal 66 which thereby erases 
the memory 52. The contents of the secure memory M 
are thereafter unalterable. 
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Description 

[0001] The present invention generally pertains to 
integrated circuit chips for electronic data processing 
systems and is particularly directed to preventing 
inspection and/or modification of secure data that is 
stored or processed within a secure area of an inte- 
grated circuit chip. 

[0002] Integrated circuit chips that process and store 
secure data include a secure area containing circuit ele- 
ments for processing and storing the secure data, and a 
non secure area containing circuit elements for 
processing and storing non secure data and control sig- 
nals. An integrated circuit chip contains a semi-conduc- 
tive layer containing diffusions defining circuit element " 
components; and a first conductive layer coupled to the 
semi-conductive layer to interconnect the components 
to thereby define the circuit elements. All modern inte- 
grated circuit chips include one or more conductive lay- 
ers, typically for interconnecting circuit elements and 
components thereof. Generally these layers are used 
for both control signal and power signal distribution in a 
way that is intended to maximise signal interconnection 
density and reduce the area required for such intercon- 
nections. 

[0003] The secure area further contains circuit ele- 
ments for transferring non secure data and control sig- 
nals to a data bus within the secure area for processing 
with the secure data by data processing circuit elements 
within the secure area. Logic circuit elements within the 
secure area enable the nonsecure data and the control 
signals to be transferred between the non secure area 
and the data bus within the secure area in response to 
control signals generated by the data processing circuit 
elements within the secure area. 
[0004] Nevertheless, even though the secure data 
cannot be readily transferred in such an integrated cir- 
cuit chip from the secure area to the non secure area, it 
is possible to gain access to secure data stored or being 
processed within the secure area by inspecting the 
secure area with such diagnostic tools as a scanning 
electron microscope (SEM) or a probe that couples an 
oscilloscope to a given node within the secure area from 
which the secure data can be accessed. Also, by deliv- 
ering appropriate control signals to the logic circuit ele- 
ments within the secure area by such means as a 
probe, it may be possible to cause the logic circuit to 
enable transfer of secure data to the nonsecure area 
from a data bus within the secure area that carries both 
nonsecure and secure data for processing by the data 
processing circuit elements within the secure area or to 
enable the secure data stored within the secure area to 
be replaced by clandestine data that would enable the 
intended security of the chip to be compromised. 
[0005] The present invention provides an integrated 
circuit chip containing a secure area in which secure 
data is processed and/or stored, comprising: 



a semiconductor layer containing diffusions defin- 
ing circuit element components; 

a first conductive layer coupled to the semiconduc- 
5 tor layer to interconnect the components to thereby 
define circuit elements for distributing, storing, 
processing and/or affecting the processing of 
secure data; 

10 a second conductive layer overlying the circuit ele- 
ments to thereby define a secure area in which the 
circuit elements are shielded from inspection, and 
coupled to the circuit elements for conducting to the 
circuit elements a predetermined signal that is 

is essential to an intended function of the circuit ele- 
ments, whereby removal of the second conductive 
layer will prevent the predetermined essential sig- 
nal from being provided to the circuit elements and 
thereby prevent the intended function; 

20 characterised in that the shielded circuit elements 
further comprise: 

a fuse element having an initial state and an irre- 
versibly altered state; and 

25 

means coupled to the fuse element for irrevers- 
ibly altering the state of the fuse element in 
response to a predetermined control signal; 
wherein the fuse element is coupled to another 
30 component of the chip such that irreversibly 

altering the state of the fuse element prevents 
some function of the chip. 

[0006] The invention will now be described by way of 
35 example with reference to the drawings in which :- 

Figure 1 is a block diagram of an integrated circuit 
chip to which the present invention can be applied; 

40 Figure 2 is a cross-sectional view illustrating the 
shielding of MOS circuit element components in the 
Figure 1 integrated circuit chip; 

Figure 3 is a plan view illustrating the use of an 
45 overlying conductive layer to shield circuit element 
components and to conduct a predetermined signal 
to shielded MOS circuit elements; 

Figure 4 is a cross-sectional view illustrating the 
so shielding of bipolar circuit element components in 
an integrated circuit chip; 

Figure 5 is a cross-sectional view illustrating the 
use of an overlying conductive layer to shield circuit 
55 elements and to conduct power to the shielded cir- 
cuit elements; 

Figure 6 is a block diagram illustrating an alterna- 
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tive topology for shielding a plurality of volatile 
memories; 

Figure 7 is a plan view illustrating the use of an 
overlying conductive layer to carry a signal essen- 
tial to the function of a circuit element; 

Figure 8 is a block diagram of a system in the 
secure area of the chip for preventing the alteration 
- of secure data stored in a predetermined memory 
location in accordance with the present invention; 

Figure 9 is a block diagram of an alternative embod- 
iment of a system in the secure area of the chip for 
preventing the alteration of secure data stored in a 
predetermined memory location; and 

Figure 10 is a block diagram of a system in the 
secure area of the chip for limiting when the secure 
area may be accessed for testing. 

[0007] Referring to Figure 1 . a preferred integrated cir- 
cuit chip 10 with which the present invention may be 
used includes a secure area 1 1 and a non secure area 
12. 7tie chip 10 is a VLSI (Very Large Scale Integrated) 
circuit chip. Within the secure area 11, the chip 10 
defines the following circuit elements: a microprocessor 
14 for processing secure data, a plurality of memories 
M i. M 2, M n ft> r storing secure data, a secure data bus 16, 
a secure address bus 17, transfer logic circuits 18. and 
secure clock and power control circuits 20. The chip 10 
need not be limited to such a specific mixture of circuit 
elements, but may contain any mixture of circuit ele- 
ments wherein secure data is to be either protected 
against unauthorised attacks of reading out or modifica- 
tion of secure data and/or instructions. The memories 
M 1t M 2 . M n can be of any type, to wit: RAM (random- 
access memory), ROM (read-only memory), EPROM 
(electrically programmable ROM) EEPROM: (electri- 
cally erasable programmable ROM) and others, such as 
register files. FIFO (first-in/first-out) buffers, etc. 
[0008] A conductive layer CN 2 covers the circuit ele- 
ments 14, M 1t M 2 , M n . 16. 17, 18, 20 to shield such cir- 
cuit elements from inspection, and thereby defines the 
secure area 1 1 . 

[0009] Within the non secure area 12, the chip 10 
defines the following circuit elements, a memory 24, a 
logic circuit 26 and a nonsecure data bus 28. 
[0010] In a chip 10 including MOS circuit elements, as 
illustrated in Figures 2 and 3. the chip includes a semi- 
conductive substrate layer SC. a first dielectric layer 
DE-j, a first conductive layer CN 1t a second dielectric 
layer DE 2 , a second conductive layer CN 2 , an nth dilec- 
tric layer DE n and an nth conductive layer CN n . Diffu- 
sions S and D in the semiconductive substrate layer SC 
define sources and drains, which are combined with 
gate conductors G and interconnected by the first con- 
ductive layer CN^ to define complementary MOS field 



effect transistors that are arrayed to define the circuit 
elements of the chip 10. The first conductive layer CN^ 
is coupled to a source S and a drain D by conductive 
contacts 30 through holes in the first dielectric layer 

5 DE 1 . The second conductive layer Cl^ is coupled to the 
first conductive layer CN t , by a contact 31 through a 
hole in the second dielectric layer DE 2 for conducting to 
the circuit elements a predetermined signal that is 
essential to an intended function of the shielded circuit 

10 elements. 

[0011] Removal of the second conductive layer CN 2 
will prevent the predetermined essential signal from 
being provided to the circuit elements and thereby pre- 
vent the intended function. The second conductive layer 
is Ct*2 overlies the circuit elements to thereby define the 
secure area 11 in which the circuit elements are 
shielded from inspection. 

[0012] In a chip 1 0 including bipolar elements, as illus- 
trated in Figure 4. the chip includes a semiconductive 

20 substrate layer SC, a first cfielectric layer DE V a first 
conductive layer CN V second dielectric layer CN V an 
nth dielectric layer DE n , and an nth conductive layer 
CN n . Diffusions C, B and E in the semiconductive layer 
SC define collectors, bases and emitters which are 

25 interconnected by the first conductive layer CN«,. to 
define bipolar transistors that are arrayed to define the 
circuit elements of the chip 10. The first conductive layer 
CN 1f is coupled to a collector C and a base B by con- 
ductive contacts 32 through holes in the first dieletric 

30 layer DE 1 for x cpnducting to the circuit elements a prede- 
termined signal that is essential to an intended function 
of the shielded circuit elements. The second conductive 
layer CNfe is coupled to the first conductive layer CN 1 , by 
a contact 33 through a hole in the second dielectric 

35 layer DE 2 for conducting to the circuit elements a prede- 
termined signal that is essential to an intended function 
of the shielded circuit elements. 
[0013] Removal of the second conductive layer CN 2 
will prevent the predetermined essential signal from 

40 being provided to the circuit elements and thereby pre- 
vent the intended function. The second conductive layer 
CN 2 overlies the circuit elements to thereby define the 
secure area 11 in which the circuit elements are 
shielded from inspection. 

45 [0014] All circuit elements of the chip 10 that distrib- 
ute, store, process or affect the processing of secure 
data utilise conductive layers, such as the interconnect 
layer CN 1t that are fabricated before and lie under the 
conductive layer, such as layer CN2. which functions as 

50 a shield and thereby defines the boundaries of the 
secure area 1 1 . 

[0015] The second conductive layer CN2 acts both as 
a shield to mechanical and SEM probing and as a pre- 
determined essential signal carrying layer that cannot 
55 be removed without rendering the underlying circuit ele- 
ments inoperable. The predetermined essential signal 
may be either a power signal or a control signal, such as 
an instruction. When the predetermined essential signal 



3 



5 



BP 0 920 057 A2 



6 



is a power signal, removal of the shield layer CN 2 by 
either mechanical, chemical or other means for inspec- 
tion purposes will then remove power from the underly- 
ing circuit elements, rendering them inoperable and 
also possibly forcing the same circuit elements to lose 
any data or logic state stored therein. 
[0016] The technique is particularly effective for pro- 
tecting secure data stored in a volatile memory, such as 
a volatile RAM. In an embodiment of the chip 10 in 
whicb the memories M 1 and M 2 are volatile memories, 
each of such memories M 1( M 2 is covered by the sec- 
ond conductive layer CN 2 to shield the memories M 1t 
M 2 from inspection; and a power signal is separately 
distributed to each of the memories M 1( M 2 from {he 
portion of the second conductive layer CN 2 that overlies 
the respective memory Mj, M 2 . Such distribution is 
shown in Figure 5, wherein the second conductive layer 
CN 2 is connected by a contact 34 to the source S of a 
transistor included in a volatile memory for providing 
power to the memory. Removal of ttje overtying portion 
of the second conductive layer CN £ to enable inspection 
of the respective memory M n , M 2 results in power being 
removed from the respective memory M 1f M 2 . Since the 
memory M 1t M 2 is volatile, removal of power therefrom 
results in deletion of the secure data stored therein. 
Accordingly an attempt to inspect the contents of either 
of the memories M t , M 2 by removing only the portion of 
the second conductive layer CN 2 that overlies such 
memory will be unavailing. 

[0017] In an alternative arrangement shown in Figure 
6, power signals Vqc are distributed from the second 
conductive layer Cf^ to a plurality of volatile memory 
elements M in a manner that takes up less space than 
in the embodiment described above, in which power is 
separately distributed to each of the memory elements 
M from only that portion of the second conductive layer 
as overlies such memory element M. In this arrange- 
ment each row of memory elements M receives power 
from the overlying second conductive layer CN 2 via a 
separate underlying first conductive layer CN 1 . The sec- 
ond conductive layer CN^ is connected to the respective 
first conductive layer Cf^ by conductive contacts 35. 
Although this arrangement does trade off some security 
for area efficiency, an attempt to inspect these memory 
elements M without causing the data to be deleted by a 
power loss resulting from removal of the second con- 
ductive layer CN 2 would require very high resolution 
removal of the second conductive layer CN 2 while leav- 
ing intact all interlayer conductive contacts 35 and the 
portion of the second conductive layer CN 2 that distrib- 
utes power to these contacts 35. 
[0018] Any combination of conductive layers may be 
used in this arrangement. The use of the conductive lay- 
ers most highly embedded within the vertical dimension 
of the chip as the shielding conductive layers results in 
the greatest security. 

[0019] Referring again to Figure 1. within the non 
secure area 12, the logic elements 26 and the memory 



24 process and store nonsecure data and control sig- 
nals. The non secure data and control signals are trans- 
ferred from the nonsecure data bus 28 to the secure 
data bus 16 in the secure area 1 1 by the transfer logic 

5 circuit 1 8. The transfer logic circuit 1 8 transfers the non- 
secure data and control signals to the secure data bus 
16 within the secure area 11 for processing with the 
secure data by the microprocessor 14. The transfer 
logic circuit 18 enables the nonsecure data and the con- 

10 trol signals to be transferred between the non secure 
data bus 28 and the secure data bus 16 in response to 
control signals generated by the microprocessor 14 that 
indicate when nonsecure data is present on the secure 
data bus 16. The microprocessor 14 monitors the status 

75 of the data signals on the secure data bus 16, and gen- 
erates the control signals that enable the logic circuit 18 
to transfer data signals and control signals between the 
nonsecure data bus 28 and the secure data bus 16 only 
during such times as nonsecure data is present on the 

20 secure data bus 16. 

[0020] As described above, the conductive layer CN 2 
overlies the transfer logic circuit 1 8 in order to shield the 
transfer logic circuit from inspection. The conductive 
layer CN 2 also conducts a power signal to the transfer 

25 logic circuit 1 8, whereby removal of the conductive layer 
CN 2 for the purpose of inspecting the transfer logic cir- 
cuit 18 results in power being removed from the transfer 
logic circuit 18 and prevents the logic circuit 18 from 
transferring any data or control signals between the 

30 secure data bus, 16 and the nonsecure data bus 28. 
Likewise, removal x>f the conductive layer CN2 in order 
to allow control signals to be delivered to the transfer 
logic circuit 18 by such means as a probe for enabling 
secure data to be transferred from the secure area 1 1 to 

35 the non secure area 12 of the chip 10 will be unavailing 
since such removal of the shielding conductive layer 
CN 2 also removes power from the transfer logic circuit 
18. 

[0021 ] This technique may be extended in the reverse 

40 direction, so that clandestine data cannot be written into 
a secure memory M 1 , M 2 . M„ from the non secure area 
12. The microprocessor 14 provides memory access 
logic circuit, which enables data on the secure data bus 
16 to be stored in the memories M 1§ M 2 , and the 

45 shielding conductive layer CIS^ conducts a power signal 
to the microprocessor 14. Thus removal of the shielding 
conductive layer CN 2 in order to deliver control signals 
to the memory access logic circuit of the microproces- 
sor 14 that would enable clandestine data to be substi- 

50 tuted in the memories of M 1t M 2 , M n for the secure data 
to thereby compromise the intended security of the chip 
would be unavailing since removal of the shielding con- 
ductive layer CN 2 removes power from the microproces- 
sor 14 and thereby prevents the memory access logic 

55 circuit therein from enabling data to be stored in the 
memories M 1t M 2 , M n . 

[0022] In one example each of the shielding logic cir- 
cuits 14, 18 in the secure area is separately coupled to 
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only that portion of the shielding conductive layer CN 2 
that overlies such logic circuit 14, 18 for receiving a 
power signal from only that overlying portion of the 
shielding conductive layer CN 2 . 

[0023] In an example shown in Figure 7, a secure sig- 5 
nal is distributed in a conductive layer CN 1t that under- 
lies layers CN 2 and CN n , and shielding signals (such as 
essential control or power signals) are distributed in the 
overlying shield layers CN 2 and CN n , respectively. The 
boundaries of one shielding conductive layer CN n , are 
shown in the drawing by solid lines, the boundaries of 
the other shielding conductive layer CN 2 are shown in 
the drawing by dashed lines, and the undertying con- 
ductive layer CN 1 is shown in the drawing by shading. 
The underlying conductive layer CN-, is entirely shielded 
by either one or the other of the shielding conductive 
layers CN 2 and CN n and one portion of the underlying 
conductive layer CN^ is shielded by both of the shielding 
conductive layers CN 2 and CN n . 
[0024] An attempt at cutting through the shield layers 
CN 2 and Cn n with chemicals or conventional lasers or 
microprobes to gain access to the secure signal in the 
conductive layer Ct^ results either in the conductive 
layer CN 1 becoming connected (shorted) to the shield 
layers CN 2 and CN n or in an open circuit being created 
in the circuit paths defined by the conductive layers 
CN n , CN 2 . CN n , which thereby disrupts distribution of 
the secure signal and the essential signals and alters 
the intended functions of the circuit elements connected 
to the conductive layers CN 1t CN 2 and CN n so as to 
impair the intended function of the chip 10. 
[0025] tt is critically important that certain secure data 
stored in the chip 10 during formation of a product that 
includes the chip not be modified after the storage of 
such secure data To accomplish this purpose the chip 
10 includes a system for preventing the alteration of 
secure data stored in a predetermined memory loca- 
tion. Alternative embodiments of such a prevention sys- 
tem are shown in Figures 8 and 9. 
[0026] The system of Figure 8 includes a memory M, 
a memory control logic circuit 38. a decoder 40, a fuse 
element 42 and a fuse altering device 44. This system is 
applicable to and includes as the memory M. each of 
the memories M 1t M 2 , M n in which secure data is 
stored. 

[0027] The memory M has a plurality of memory loca- 
tions, with a predetermined location being for the stor- 
age of unalterable secure data from the data bus 16. 
[0028] The memory control logic circuit 38 is coupled 
to the memory M by an address bus 46 for causing data 
to be stored in locations of the memory M indicated by 
address signals provided on the address bus 46 when a 
"write" signal is provided on line 47 from the memory 
control logic circuit 38 to the secure memory M. 
[0029] The fuse element 42 has an initial state and an 
irreversibly altered state. The term "fuse element" refers 
to both fuses and antifuses. Fuse elements are formed 
in the chip 10 by the combination of a metallic conduc- 



tive layer and a polysilicon conductive layer. Antifuse 
elements can be formed in the chip by metallic conduc- 
tive layers, polysilicon conductive layers or a combina- 
tion of both. Antifuse elements are formed by P + /N + 
semiconductor junction diodes and P\N" semiconductor 
junction diodes formed in a semi conductive layer of the 
chip by conductor/oxide conductor structures or by con- 
ductor/amorphous silicon/conductor structures in the 
chip. 

[0030] The fuse altering device 44 is coupled to the 
fuse element 42 for irreversibly altering the state of the 
fuse element 42 in response to a predetermined control 
signal received on line 48 from a terminal 50 that is 
external to the secure area 1 1 . Alternatively, the control 
signal on line 48 is received from a terminal (not shown) 
that is internal to the secure area 11. 
[0031 ] The decoder 40 is coupled to the fuse element 
42, the memory control circuit 38 and the address bus 
46 for monitoring the state of the fuse element 42 and 
the address signals on the address bus 46, and for pre- 
venting the memory control circuit 38 from causing data 
to be stored in the predetermined memory location of 
the memory M after the state of the fuse element 42 has 
been altered irreversibly whenever the predetermined 
memory location is indicated by an address signal on 
the address bus 46. 

[0032] The second conductive layer CN 2 shields the 
memory M, the memory control logic circuit 38, the 
decoder 40, and the fuse element 42 from direct exter- 
nal access. v , 

[0033] The memory M, the memory control logic cir- 
cuit 38 and the decoder 40 are all coupled to the second 
conductive layer CN 2 so as to be powered by the power 
signal carried by the second conductive layer CN 2 . 
[0034] The system of Figure 8 is used to prevent the 
alteration of secure data initially stored in the predeter- 
mined locations of the memory M. Once the state of the 
fuse element 42 is irreversibly changed, the decoder 40 
prevents the writing of any further data into the prede- 
termined memory locations indicated by the address 
signals on the address bus 46. 

[0035] The fuse element 42 in the system of Figure 8 
also may be connected to other shielded circuit, ele- 
ments (not shown) that perform or affect certain prelim- 
inary secure data processing functions that are 
applicable only prior to such time as the product that 
includes the chip is distributed to users of the product, 
such as preliminary processing of the secure data or the 
loading of instructions for processing the secure data. 
Means, such as the decoder 40, are coupled to the fuse 
element 42 and such other shielded circuit elements for 
monitoring the state of the fuse element and for prevent- 
ing the intended function of such other shielded circuit 
element after the state of the fuse element has been 
altered irreversibly. 

[0036] Many fuse technologies allow fusing only at a 
foundry during the secure integrated circuit chip fabrica- 
tion process. For example, certain foundries may 
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require that an oxide be grown over a polysilicon (or 
other fuse material) after the fuse has been blown to 
afford better long term device reliability. The system of 
Figure 9 allows a separate manufacturer to load secure 
data into the secure memory M after foundry fusing, yet 
still prevents alteration of the contents of the memory M. 
[0037] The system of Figure 9 includes a memory M, 
an erasable memory 52, such as an EPROM or an 
EEROM (electrically erasable ROM), memory control 
logic jcircuit 54, an enabling circuit 55, a fuse element 

56. an AND gate 57 and a fuse altering device 58. The 
memory control logic circuit 54 includes an AND gate 
60, and N connections including wiring and inverters 62 
that couple the AND gate 60 to the erasable memory 
52. The inverters 62 are connected between selected * 
inputs to the AND gate 60 and selected memory loca- 
tions in the erasable memory 52 so as to define a pre- 
determined data pattern in the erasable memory 52 that 
must be present to enable the AND gate 60. - 
[0038] The memory M has a plurality of memory loca- 
tions, with a predetermined locatidn being for the stor- 
age of unalterable secure data. 

[0039] The enabling circuit 55 enables a data pattern 
to be stored in the erasable memory 52 when a write 
enable signal is applied on line 63 to the enabling circuit 
55. 

[0040] The memory control logic circuit 54 couples the 
memory M to the erasable memory 52 in such a manner 
as to cause data to be stored in the predetermined loca- 
tion of the first memory M in response to a write signal 
on line 64 to the AND gate 60 whenever the erasable 
memory 52 contains a predetermined data pattern. 
[0041] The contents of the erasable memory 52 may 
be erased by providing an "erase" control signal at an 
erase terminal 66 located outside the secure area 1 1 of 
the chip 10. 

[0042] The fuse element 56 has an initial state and an 
irreversibly altered state The fuse altering device 58 is 
coupled to the fuse element 56 for irreversibly altering 
the state of the fuse element 56 in response to a prede- 
termined control signal received on line 67 from a termi- 
nal 68 that is external to the secure area 11. 
Alternatively, the control signal on line 67 is received 
from a terminal (not shown) that is internal to the secure 
area 1 1 . 

[0043] A data pattern is provided at a data terminal 69 
and fed into the erasable memory through the AND gate 

57. The AND gate 57 has one input connected to the 
fuse element 56 so as to enable data to be written into 
the erasable memory 52 only while the fuse element 56 
is in its initial state. 

[0044] The fuse element 56 also is coupled to the ena- 
bling circuit 55 so as to enable the predetermined data 
pattern to be stored in the erasable memory 52 only 
prior to the state of the fuse element 56 being irreversi- 
bly altered. 

[0045] N bits of erasable memory 52 are required. At 
the foundry, the predetermined pattern of ones and 



zeros corresponding to the pattern of inverters 62 cou- 
pling the erasable memory 52 to the AND gate 60 is 
loaded into the erasable memory 52 to enable the AND 
gate 60 to pass a "write" control signal on line 64 to the 

5 memory M. After the predetermined pattern of ones and 
zeros is loaded into the erasable memory 52, the state 
of the fuse element is irreverstoly altered so that the pre- 
determined pattern cannot be changed. At this point, 
processing and packaging of the integrated circuit chip 

w 10 can continue, subject to the condition that the final 
processing and packaging steps do not disturb the 
stored predetermined pattern in the erasable memory 
52. 

[0046] After the chip 10 is shpped to a separate man- 

is ufacturer, secure data can be stored in the secure mem- 
ory M since the predetermined pattern stored in the 
erasable memory 52 matches the predetermined pat- 
tern hard-wired into the memory control logic circuit 54 
by the inverters 62. 

20 [0047] Once the secure data is stored in the secure 
memory M, an "erase" signal is applied to the erase ter- 
minal 66 to erase the contents of the erasable memory 
52 and thereby prevent alteration of the secure data 
stored in the secure memory M. 

25 [0048] The second conductive layer CN 2 shields the 
memory M, the erasable memory 52, the memory con- 
trol logic circuit 54. the enabling circuit 55 and the fuse 
element 56 from direct external access. 
[0049] This technique makes the system of Figure 9 

30 secure from any.attack short of an extremely precise X- 
ray beam or other complex means that may be used to 
remotely reprogram the erasable memory 52 through 
the covering layers of the chip 10. The security of this 
technique relies on the fact it is difficult to remotely 

35 reprogram the contents of an EEROM or EPROM, or to 
reconnect a blown fuse element. If a high power unfo- 
cused or diffuse X-ray or other means could essentially 
randomise the EEROM or EPROM contents, then an 
attacker could make repeated attempts to achieve the 

40 enabling pattern. Thus, security may also require that 
the EEROM or EPROM cells be designed to be biased 
in terms of their state, in other words, biased towards a 
preferred pattern of all ones or all zeros. Thus any unfo- 
cused beam would with high probability drive the con- 

45 tents to the preferred pattern rather than to the 
predetermined pattern that enables data to be stored in 
the memory M. Security can also be increased by using 
a longer predetermined pattern, with a larger number N 
of bits. 

so [0050] The memory M, the erasable memory 52, the 
AND gate 60 and the enabling circuit 55 are all coupled 
to the second conductive layer CN 2 so as to be powered 
by the power signal carried by the second conductive 
layer CN2. 

55 [0051] The fuse element 56 in the system of Figure 9 
also may be connected to other shielded circuit ele- 
ments (not shown) that perform or affect certain prelim- 
inary secure data processing functions that are 
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applicable only prior to such time as the product that 
includes the chip is distributed to users of the product, 
such as preliminary processing of the secure data or the 
loading of instructions for processing the secure data. 
The fuse element 56 is coupled to such other shielded 
circuit element so as to enable the intended function of 
such other shielded circuit element only prior to the 
state of the fuse element being irreversibly altered. 
[0052] The secure data alteration prevention systems 
of- Figures 8 and 9 are the subject of a commonly 
assigned patent EP-A-0378307 filed 4 January 1990, 
entitled "Prevention of Alteration of Data Stored in 
Secure Integrated Circuit Chip Memory". 
[0053] Manufacturing of complex integrated Circuit 
chips requires complete access to the internal circuit 
elements during testing operations to insure that all 
included circuit elements work correctly. However, high 
accessibility for testing purposes generally is a security 
weakness for chips containing secure data or data 
which should not be modified. ^ 
[0054] Figure 1 0 shows a system for permanently dis- 
abling test signal paths after testing operations are com- 
pleted, so that no further access to internal secure 
circuit elements from the external pins of the chip is pos- 
sible. This system includes a fuse element 70. first and 
second inverters 72, 74, a resistance 75, first and sec- 
ond NAND gates 76. 78 and a fuse altering device 79. 
[0055] The fuse element 70 has a initial state and an 
irreversibly altered state. Ihe fuse altering device 79 is 
coupled to the fuse element 70 for irreversibly altering 
the state of the fuse element 70 in response to a prede- 
termined control signal received on fine 80 from a termi- 
nal 81 that is external to the secure area 11. 
Alternatively, the control signal on line 80- is received 
from a terminal (not shown) that is internal to the secure 
area 11. 

[0056] The fuse element 70 is coupled to the first and 
second NAND gates 76, 78 so as to enable the secure 
areas of the chip 1 0 to be accessed for testing only prior 
to the state of the fuse element 70 being irreversfcly 
altered. 

[0057] The fuse element 70 and the inverters 72, 74 
are connected in series to one input to the first NAND 
gate 76. The output of the first NAND gate 76 is applied 
to an external test data output terminal 82. 
[0058] The fuse element 70 and the inverters 72, 74 
are also connected in series to one input to the second 
NAND gate 78. 

[0059] The second NAND gate 78 passes a test com- 
mand signal from an internal test command input termi- 
nal 84 to a test command input node 86 within the 
secure area 11 of the chip 10. Test data is provided at 
internal test data output node 88 within the secure area 
11 of the chip 10 in response to a test command input 
signal being provided to the internal test command input 
node 86. The test data provided at the internal test data 
output terminal may be accessed from the secure circuit 
elements of the chip 1 0, such as the circuit elements 14, 



M, M 2 , M n , 16. 17, 18, 20 (Figure 1). 
[0060] The test data is provided from the internal test 
data output node 88 through the first NAND gate 76 to 
the external test data output terminal 82 only while the 
5 fuse element 70 is in its initial state. 

[0061 ] Also, the test command input signal is provided 
from the external test command input terminal 84 to the 
internal test command input node 86 only while the fuse 
is in its initial state. 
w [0062] The second conductive layer CN 2 shields the 
fuse element 70. the inverters 72, 74, the resistor 75 
and the NAND gates 76, 78 from direct external access. 
[0063] The inverters 72, 74, the resistor 75 and the 
NAND gates 76, 78 are all coupled to the second con- 
is ductive layer CN 2 so as to be powered by the power sig- 
nal carried by the second conductive layer CN 2 . 
[0064] Additional protection is afforded by burying the 
signal paths from the fuse dement 70 to the first and 
second NAND gates 76. 78 as far down into the chip 10 
20 as possibl e to further preclude probe attacks. Therefore, 
the signal paths from the fuse element 70 to the first and 
second NAND gates 76. 78 are distributed primarily to 
an N+ or P+ diffusion. Polysificon and other conductive 
layers may be used as well, with diminishing security- 
's The use of the uppermost conductive layers CN n CN^ 
should be avoided. 



Claims 

30 1. An integrated circuit chip (10) containing a secure 
area (1 1) in which secure data is processed and/or 
stored, comprising 

a semiconductor layer (SC) containing d'rffu- 
35 sions (S.D) defining circuit element compo- 

nents; 

a first conductive layer (CN^ coupled to the 
semiconductor layer to interconnect the com- 
40 ponents to thereby define circuit elements (14, 

16, 17, 18, 20, M 1( M n ) for distributing, stor- 
ing, processing and/or affecting the procesing 
of secure data; 

45 a second conductive layer (CN 2 ) overlying the 

circuit elements to thereby define a secure 
area (11) in which the circuit elements are 
shielded from inspection, and coupled to the 
circuit elements for conducting to the circuit 

50 elements a predetermined signal that is essen- 

tial to an intended function of the circuit ele- 
ments, whereby removal of the second 
conductive layer will prevent the predetermined 
essential signal from being provided to the cir- 

55 curt elements and thereby prevent the intended 

function; 

characterised in that the shielded circuit ele- 
ments further comprise: 
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a fuse element (42, 57, 70) having an initial 
state and an irreversibly altered state; and 

means (44, 58, 79) coupled to the fuse element 
for irreversibly altering the state of the fuse ele- 5 
ment in response to a predetermined control 
signal; 

wherein the fuse element is coupled to another 
component of the chip such that irreversibly 
m altering the state of the fuse element prevents io 
some function of the chip. 

An integrated circuit chip according to Claim 1, 
characterised in that the shielded circuit elements 
comprise means (60) for enabling said storage of* is 
secure data; and that the fuse element (56) is cou- 
pled to the enabling means so as to enable said 
secure data storage only prior to the state of the 
fuse element being irreversibly altered. - 

An integrated circuit chip according to Claim 1 , fur- 
ther comprising: 

means (78) for accessing said circuit elements 
for testing said circuit elements; 25 
characterised by the fuse element (70) being 
coupled to the accessing means so as to ena- 
ble said access for testing only prior to the state 
of the fuse element being irreversibly altered. 

30 

An integrated circuit chip according to Claim 1, 
characterised in that the shielded circuit elements 
comprise: 

a given circuit element (M) that stores, proc- 35 
esses or affects the processing of secure data; 
and 

means coupled to the fuse element (42) and 
the given circuit element (M) for monitoring the 
state of the fuse element and for preventing the 40 
intended function of the given circuit element 
after the state of the fuse element has been 
irreversibly altered. 



45 



50 



55 



8 



EP 0 920 057 A2 



10 



NONSECURE AREA 12 



r 



NONSECURE 
MEMORY 



20 



24 



NONSECURE 
DATA 
BUS 28 ' 

\ 



CLOCK 

AND 
POWER 
CONTROL 



NONSECURE 
LOGIC 



26 



L_ 



TRANSFER 
LOGIC 

— 



18 



SECURE AREA 



14 



SECURE 
MICROPROCESSOR 



SECURE 
DATA 
BUS 16 



SECURE 
ADDRESS 
BUS 17 



SECURE 
MEMORY 



Mi 



SECURE 
MEMORY 



M 2 



SECURE 
MEMORY 



M n 



J 



FIG. 1 



10 





31 


'//a 


G — VNSWl 


^~^30 30" 


y RwsTOi g 


S 


D 


S D 



CN n 
-DE n 
•CN 2 
DE 2 
CNt 
V DE-| 

SC 



FIG. 2 



9 



EP 0 920 057 A2 





10 



EP 0 920 057 A2 



35 



^ CN 1 



Wcc 



M 



35 



11 



M 



35 



^CS3 



11 



M 



IX 



M 



^ CN 1 



M 



^ CN 1 



M 



1_E 



M 



11 



M 



11 



M 



M 



M 



M 



11 



FIG. 6 



CN 



2i 



Sir, i'-'iA 



r T.r 
i ' 
i 
i 





CN 2 



FIG. 7 



CN-| 



CN-j 



CN 



n 



[SI 

H;^{_ 



CN 2 



CNi 



11 



EP 0 920 057 A2 



50 



42 

r 


.40 

r 


FUSE 




DECODER 


ELEMENT 









DATA BUS 16 



■A 



FUSE 
ALTERING 
DEVICE 



ALTER 
FUSE 



44 



r 



38 



MEMORY 
CONTROL 
LOGIC 



47- 



V 



46 



WRITE 
SIGNAL 



H SECURE 
MEMORY 



CONTROL 
SIGNAL L 



48 



M 



ADDRESS 
BUS 

~^7~~~t- 



CN. 



10 



~J 



FIG. 8 



ALTER FUSE 
CONTROL 
SIGNAL 

l 68 ~ 



FIG. 9 



11- 



-69 



56 



FUSE 
ELEMENT 

~7\ 



I67 



-CN 2 



W>— f 



52 




S ERASABLE 
MEMORY 



"63 55 
ENABLE 
PATTERN 



PUl^c- T 

TO ./ 
SECURE 64 , 
MEMORY 



60 



58 



FUSE 
ALTERING 
DEVICE 



64- 



M 



SECURE _ 
MEMORY 13 



1 



ERASE 
~"^66 



10 



12 



EP 0 920 057 A2 



-10 



ALTER FUSE 
CONTROL 
SIGNAL 



T 

81 



11 



r 



r\ 



FUSE 
ELEMENT 



70 




zT 79 



FUSE 
ALTERING 
DEVICE 



SECURE 
TEST .7. 

DATA V 



88 



76 



SE^URE^ 
COMMAND 




| COMMAND | 



TEST 
DATA 



1 



TEST 
COMMAND 



84 



FIG. 10 



13 



t 



(19) 



J 



(12) 



(88) Date of publication A3: 

12.01.2000 Bulletin 2000/02 

(43) Date of publication A2: 
* 02.06.1999 Bulletin 1999/22 

(21) * Application number: 99102130.4 

(22) Date of filing: 04.01.1990 



Europaisches Patentarrrt 
European Patent Office 

Office europeen des brevets (11) EP 0 920 057 A3 

EUROPEAN PATENT APPLICATION 

(51) int. CI. 7 . H01L 23/58, G11C7/00 



(84) 


Designated Contracting States: 


• Knowles, Richard M 


BE CH DE DK ES FR GB LI NL SE 


Escondido, California 92026 (US) 






• Moroney, Paul 


(30) 


Priority: 12.01.1989 US 297472 


Olivenhain, California 92024 (US) 


• Shumate, William alien 


(62) 


Document number(s) of the earlier application(s) in 


Poway, California 92064 (US) 




accordance with Art. 76 EPC: 






90300090.9 / 0 378 306 


(74) Representative: 






Blatchford, William Michael el al 


(71) 


Applicant: 


Withers & Rogers 




General Instrument Corporation 


Goldings House, 




Horsham, Pennsylvania 19044 (US) 


2 Hays Lane 






London SE1 2HW(GB) 


(72) Inventors: 




• 


Gilbert, Robert C 






San Diego, California 92131 (US) 





CO 

< 

LO 

o 
o 

CM 

o> 



(54) Secure integrated chip with conductive shield 

(57) A chip includes a secure section 11 having a 
fuse element 56 and a fuse altering device 58. A prede- 
termined data pattern is formed by wiring and inverters 
62 connected between an erasable memory 52 and an 
AND gate 60. An enabling circuit 55 allows the predeter- 
mined data pattern to be written into the memory 52 
when an appropriate control signal is received at a ter- 
minal 63. The state of the fuse element 56 is then irre- 
versibly altered by the fuse altering device 58 so that the 
predetermined data pattern in the memory 52 cannot be 
changed. After final pressing and packaging, secure 
data may be stored in a secure memory M since the 
data pattern in the memory 52 is the same as that in the 
inverters 62. Once the secure data is stored, an erase 
signal is provided to terminal 66 which thereby erases 
the memory 52. The contents of the secure memory M 
are thereafter unalterable. 
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